def test_conditional(self):
x = EVar("x").with_type(INT)
b = EVar("b").with_type(BOOL)
s = SIf(b, SAssign(x, ONE), SAssign(x, ZERO))
assert valid(EEq(
inc.mutate(x, s),
ECond(b, ONE, ZERO).with_type(INT)))
def mutate_in_place(self, lval, e, op, assumptions, invariants, make_subgoal):
from cozy.state_maintenance import mutate
old_value = e
new_value = mutate(e, op)
# added/removed elements
t = TBag(lval.type.elem_type)
old_elems = EHeapElems(old_value).with_type(t)
new_elems = EHeapElems(new_value).with_type(t)
initial_count = make_subgoal(ELen(old_elems))
to_add = make_subgoal(EBinOp(new_elems, "-", old_elems).with_type(t), docstring="additions to {}".format(pprint(lval)))
to_del_spec = EBinOp(old_elems, "-", new_elems).with_type(t)
removed_count = make_subgoal(ELen(to_del_spec))
to_del = make_subgoal(to_del_spec, docstring="deletions from {}".format(pprint(lval)))
# modified elements
f1 = heap_func(old_value)
f2 = heap_func(new_value)
v = fresh_var(t.elem_type)
old_v_key = f1.apply_to(v)
new_v_key = f2.apply_to(v)
mod_spec = EFilter(old_elems, ELambda(v, EAll([EIn(v, new_elems), ENot(EEq(new_v_key, old_v_key))]))).with_type(new_elems.type)
modified = make_subgoal(mod_spec)
intermediate_count = make_subgoal(EBinOp(ELen(old_elems), "-", ELen(to_del_spec)).with_type(INT))
return seq([
SCall(lval, "remove_all", (initial_count, to_del)),
SCall(lval, "add_all", (intermediate_count, to_add)),
SForEach(v, modified, SCall(lval, "update", (v, make_subgoal(new_v_key, a=[EIn(v, mod_spec)]))))])
def test_conditional(self):
x = EVar("x").with_type(INT)
b = EVar("b").with_type(BOOL)
s = SIf(b, SAssign(x, ONE), SAssign(x, ZERO))
assert valid(EEq(
inc.mutate(x, s),
ECond(b, ONE, ZERO).with_type(INT)))
def mutate_in_place(self, lval, e, op, assumptions, make_subgoal):
from cozy.state_maintenance import mutate
old_value = e
new_value = mutate(e, op)
# added/removed elements
t = TBag(lval.type.elem_type)
old_elems = EHeapElems(old_value).with_type(t)
new_elems = EHeapElems(new_value).with_type(t)
initial_count = make_subgoal(ELen(old_elems))
to_add = make_subgoal(EBinOp(new_elems, "-", old_elems).with_type(t), docstring="additions to {}".format(pprint(lval)))
to_del_spec = EBinOp(old_elems, "-", new_elems).with_type(t)
removed_count = make_subgoal(ELen(to_del_spec))
to_del = make_subgoal(to_del_spec, docstring="deletions from {}".format(pprint(lval)))
# modified elements
f1 = heap_func(old_value)
f2 = heap_func(new_value)
v = fresh_var(t.t)
old_v_key = f1.apply_to(v)
new_v_key = f2.apply_to(v)
mod_spec = EFilter(old_elems, ELambda(v, EAll([EIn(v, new_elems), ENot(EEq(new_v_key, old_v_key))]))).with_type(new_elems.type)
modified = make_subgoal(mod_spec)
return seq([
SCall(lval, "remove_all", (initial_count, to_del)),
SCall(lval, "add_all", (EBinOp(initial_count, "-", removed_count).with_type(INT), to_add)),
SForEach(v, modified, SCall(lval, "update", (v, make_subgoal(new_v_key, a=[EIn(v, mod_spec)]))))])
def _setup_handle_updates(self):
"""
This method creates update code for handle objects modified by each op.
Must be called once after all user-specified queries have been added.
"""
for op in self.op_specs:
print("Setting up handle updates for {}...".format(op.name))
handles = reachable_handles_at_method(self.spec, op)
# print("-"*60)
for t, bag in handles.items():
# print(" {} : {}".format(pprint(t), pprint(bag)))
h = fresh_var(t)
lval = EGetField(h, "val").with_type(t.value_type)
new_val = inc.mutate(lval, op.body)
# get set of modified handles
modified_handles = Query(
fresh_name("modified_handles"), Visibility.Internal, [],
op.assumptions,
EFilter(
EUnaryOp(UOp.Distinct, bag).with_type(bag.type),
ELambda(h, ENot(EEq(lval,
new_val)))).with_type(bag.type),
"[{}] modified handles of type {}".format(
op.name, pprint(t)))
query_vars = [
v for v in free_vars(modified_handles)
if v not in self.abstract_state
]
modified_handles.args = [(arg.id, arg.type)
for arg in query_vars]
# modify each one
subqueries = []
state_update_stm = inc.mutate_in_place(
lval,
lval,
op.body,
abstract_state=self.abstract_state,
assumptions=list(op.assumptions) +
[EDeepIn(h, bag),
EIn(h, modified_handles.ret)],
invariants=self.abstract_invariants,
subgoals_out=subqueries)
for sub_q in subqueries:
sub_q.docstring = "[{}] {}".format(op.name,
sub_q.docstring)
state_update_stm = self._add_subquery(
sub_q=sub_q, used_by=state_update_stm)
if state_update_stm != SNoOp():
state_update_stm = SForEach(
h,
ECall(modified_handles.name,
query_vars).with_type(bag.type),
state_update_stm)
state_update_stm = self._add_subquery(
sub_q=modified_handles, used_by=state_update_stm)
self.handle_updates[(t, op.name)] = state_update_stm
def test_handle_writes(self):
t = THandle("elem_type", INT)
x = EVar("x").with_type(t)
y = EVar("y").with_type(t)
z = EVar("z").with_type(t)
e1 = EGetField(x, "val").with_type(t.value_type)
e2 = inc.mutate(e1, SAssign(EGetField(y, "val").with_type(t.value_type), ZERO))
assert not valid(EEq(e1, e2))
assert valid(EImplies(ENot(EEq(x, y)), EEq(e1, e2)))
def test_handle_writes(self):
t = THandle("T", INT)
x = EVar("x").with_type(t)
y = EVar("y").with_type(t)
z = EVar("z").with_type(t)
e1 = EGetField(x, "val").with_type(t.value_type)
e2 = inc.mutate(e1, SAssign(EGetField(y, "val").with_type(t.value_type), ZERO))
assert not valid(EEq(e1, e2))
assert valid(EImplies(ENot(EEq(x, y)), EEq(e1, e2)))
def test_mutate_preserves_statevar(self):
x = EVar("x").with_type(INT)
e = EBinOp(EStateVar(x), "+", ONE)
assert retypecheck(e)
s = SAssign(x, EBinOp(x, "+", ONE).with_type(INT))
e2 = inc.mutate(e, s)
e2 = inc.repair_EStateVar(e2, [x])
print(pprint(e))
print(pprint(e2))
assert e2 == EBinOp(EBinOp(EStateVar(x), "+", ONE), "+", ONE)
def test_mutate_preserves_statevar(self):
x = EVar("x").with_type(INT)
e = EBinOp(EStateVar(x), "+", ONE)
assert retypecheck(e)
s = SAssign(x, EBinOp(x, "+", ONE).with_type(INT))
e2 = strip_EStateVar(inc.mutate(e, s))
e2 = repair_well_formedness(e2, context=RootCtx(state_vars=[x], args=[]))
print(pprint(e))
print(pprint(e2))
assert e2 == EBinOp(EBinOp(EStateVar(x), "+", ONE), "+", ONE)
def test_mutate_preserves_statevar(self):
x = EVar("x").with_type(INT)
e = EBinOp(EStateVar(x), "+", ONE)
assert retypecheck(e)
s = SAssign(x, EBinOp(x, "+", ONE).with_type(INT))
e2 = strip_EStateVar(inc.mutate(e, s))
e2 = repair_well_formedness(e2,
context=RootCtx(state_vars=[x], args=[]))
print(pprint(e))
print(pprint(e2))
assert e2 == EBinOp(EBinOp(EStateVar(x), "+", ONE), "+", ONE)
def test_mutate_sequence_order2(self):
e = EVar("xs").with_type(INT_BAG)
x = EVar("x").with_type(INT)
y = EVar("y").with_type(INT)
s = SSeq(
SCall(e, "remove", (y,)),
SCall(e, "add", (x,)))
assert valid(EDeepEq(
inc.mutate(e, s),
EBinOp(EBinOp(e, "-", ESingleton(y).with_type(INT_BAG)).with_type(INT_BAG), "+", ESingleton(x).with_type(INT_BAG)).with_type(INT_BAG)))
def test_mutate_sequence_order2(self):
e = EVar("xs").with_type(INT_BAG)
x = EVar("x").with_type(INT)
y = EVar("y").with_type(INT)
s = SSeq(
SCall(e, "remove", (y,)),
SCall(e, "add", (x,)))
assert valid(EDeepEq(
inc.mutate(e, s),
EBinOp(EBinOp(e, "-", ESingleton(y).with_type(INT_BAG)).with_type(INT_BAG), "+", ESingleton(x).with_type(INT_BAG)).with_type(INT_BAG)))
def check_ops_preserve_invariants(spec : Spec):
if not invariant_preservation_check.value:
return []
res = []
for m in spec.methods:
if not isinstance(m, Op):
continue
for a in spec.assumptions:
print("Checking that {} preserves {}...".format(m.name, pprint(a)))
a_post_delta = mutate(a, m.body)
assumptions = list(m.assumptions) + list(spec.assumptions)
if not valid(EImplies(EAll(assumptions), a_post_delta)):
res.append("{.name!r} may not preserve invariant {}".format(m, pprint(a)))
return res
def check_ops_preserve_invariants(spec : Spec):
if not invariant_preservation_check.value:
return []
res = []
for m in spec.methods:
if not isinstance(m, Op):
continue
for a in spec.assumptions:
print("Checking that {} preserves {}...".format(m.name, pprint(a)))
a_post_delta = mutate(a, m.body)
if not alpha_equivalent(a, a_post_delta):
assumptions = list(m.assumptions) + list(spec.assumptions)
if not valid(EImplies(EAll(assumptions), a_post_delta)):
res.append("{.name!r} may not preserve invariant {}".format(m, pprint(a)))
return res
def check_calls_wf(spec : Spec):
res = []
queries = { m.name : m for m in spec.methods if isinstance(m, Query) }
for ctx in enumerate_fragments(spec):
e = ctx.e
if isinstance(e, ECall):
q = queries.get(e.func)
if q is None:
continue
print("Checking call {}...".format(pprint(e)))
a = EAll(ctx.facts)
for precond in q.assumptions:
precond = mutate(subst(precond, { v : val for (v, t), val in zip(q.args, e.args) }), ctx.mutations)
if not valid(inline_calls(spec, EImplies(a, precond))):
res.append("at {}: call may not satisfy precondition {}".format(pprint(e), pprint(precond)))
return res
def _setup_handle_updates(self):
"""
This method creates update code for handle objects modified by each op.
Must be called once after all user-specified queries have been added.
"""
for op in self.op_specs:
print("Setting up handle updates for {}...".format(op.name))
handles = reachable_handles_at_method(self.spec, op)
# print("-"*60)
for t, bag in handles.items():
# print(" {} : {}".format(pprint(t), pprint(bag)))
h = fresh_var(t)
lval = EGetField(h, "val").with_type(t.value_type)
new_val = inc.mutate(lval, op.body)
# get set of modified handles
modified_handles = Query(
fresh_name("modified_handles"),
Visibility.Internal, [], op.assumptions,
EFilter(EUnaryOp(UOp.Distinct, bag).with_type(bag.type), ELambda(h, ENot(EEq(lval, new_val)))).with_type(bag.type),
"[{}] modified handles of type {}".format(op.name, pprint(t)))
query_vars = [v for v in free_vars(modified_handles) if v not in self.abstract_state]
modified_handles.args = [(arg.id, arg.type) for arg in query_vars]
# modify each one
subqueries = []
state_update_stm = inc.mutate_in_place(
lval,
lval,
op.body,
abstract_state=self.abstract_state,
assumptions=list(op.assumptions) + [EDeepIn(h, bag), EIn(h, modified_handles.ret)],
invariants=self.abstract_invariants,
subgoals_out=subqueries)
for sub_q in subqueries:
sub_q.docstring = "[{}] {}".format(op.name, sub_q.docstring)
state_update_stm = self._add_subquery(sub_q=sub_q, used_by=state_update_stm)
if state_update_stm != SNoOp():
state_update_stm = SForEach(h, ECall(modified_handles.name, query_vars).with_type(bag.type), state_update_stm)
state_update_stm = self._add_subquery(sub_q=modified_handles, used_by=state_update_stm)
self.handle_updates[(t, op.name)] = state_update_stm
def possibly_useful_nonrecursive(solver, e : Exp, context : Context, pool = RUNTIME_POOL, assumptions : Exp = ETRUE, ops : [Op] = ()) -> bool:
"""Heuristic filter to ignore expressions that are almost certainly useless."""
state_vars = OrderedSet(v for v, p in context.vars() if p == STATE_POOL)
args = OrderedSet(v for v, p in context.vars() if p == RUNTIME_POOL)
assumptions = EAll([assumptions, context.path_condition()])
at_runtime = pool == RUNTIME_POOL
h = extension_handler(type(e))
if h is not None:
res = h.possibly_useful(e, context, pool, assumptions, ops, solver)
if not res:
return res
if isinstance(e, EStateVar) and not free_vars(e.e):
return No("constant value in state position")
if (isinstance(e, EDropFront) or isinstance(e, EDropBack)) and not at_runtime:
return No("EDrop* in state position")
if not allow_big_sets.value and isinstance(e, EFlatMap) and not at_runtime:
return No("EFlatMap in state position")
if not allow_int_arithmetic_state.value and not at_runtime and isinstance(e, EBinOp) and e.type == INT:
return No("integer arithmetic in state position")
if is_collection(e.type) and not is_scalar(e.type.elem_type):
return No("collection of nonscalar: e {}\n elem_type: {}\n".format(e, e.type.elem_type))
if isinstance(e.type, TMap) and not is_scalar(e.type.k):
return No("bad key type {}".format(pprint(e.type.k)))
if isinstance(e.type, TMap) and isinstance(e.type.v, TMap):
return No("map to map")
# This check is probably a bad idea: whether `the` is legal may depend on
# the contex that the expression is embedded within, so we can't skip it
# during synthesis just because it looks invalid now.
# if isinstance(e, EUnaryOp) and e.op == UOp.The:
# len = EUnaryOp(UOp.Length, e.e).with_type(INT)
# if not valid(EImplies(assumptions, EBinOp(len, "<=", ENum(1).with_type(INT)).with_type(BOOL))):
# return No("illegal application of 'the': could have >1 elems")
if not at_runtime and isinstance(e, EBinOp) and e.op == "-" and is_collection(e.type):
return No("collection subtraction in state position")
# if not at_runtime and isinstance(e, ESingleton):
# return No("singleton in state position")
if not allow_nonzero_state_constants.value and not at_runtime and isinstance(e, ENum) and e.val != 0:
return No("nonzero integer constant in state position")
if not allow_binop_state.value and at_runtime and isinstance(e, EStateVar) and isinstance(e.e, EBinOp) and is_scalar(e.e.e1.type) and is_scalar(e.e.e2.type):
return No("constant-time binary operator {!r} in state position".format(e.e.op))
if not allow_conditional_state.value and not at_runtime and isinstance(e, ECond):
return No("conditional in state position")
if isinstance(e, EMakeMap2) and isinstance(e.e, EEmptyList):
return No("trivially empty map")
if isinstance(e, EMakeMap2) and isinstance(e.e, ESingleton):
return No("really tiny map")
if not at_runtime and (isinstance(e, EArgMin) or isinstance(e, EArgMax)):
# Cozy has no way to efficiently implement mins/maxes when more than
# one element may leave the collection.
from cozy.state_maintenance import mutate
for op in ops:
elems = e.e
elems_prime = mutate(elems, op.body)
formula = EAll([assumptions] + list(op.assumptions) + [EGt(ELen(EBinOp(elems, "-", elems_prime).with_type(elems.type)), ONE)])
if solver.satisfiable(formula):
return No("more than one element might be removed during {}".format(op.name))
if not allow_peels.value and not at_runtime and isinstance(e, EFilter):
# catch "peels": removal of zero or one elements
if solver.valid(EImplies(assumptions, ELe(ELen(EFilter(e.e, ELambda(e.predicate.arg, ENot(e.predicate.body))).with_type(e.type)), ONE))):
return No("filter is a peel")
if not allow_big_maps.value and not at_runtime and isinstance(e, EMakeMap2) and is_collection(e.type.v):
all_collections = [sv for sv in state_vars if is_collection(sv.type)]
total_size = ENum(0).with_type(INT)
for c in all_collections:
total_size = EBinOp(total_size, "+", EUnaryOp(UOp.Length, c).with_type(INT)).with_type(INT)
my_size = EUnaryOp(UOp.Length, EFlatMap(EUnaryOp(UOp.Distinct, e.e).with_type(e.e.type), e.value_function).with_type(e.type.v)).with_type(INT)
s = EImplies(
assumptions,
EBinOp(total_size, ">=", my_size).with_type(BOOL))
if not solver.valid(s):
return No("non-polynomial-sized map")
return True
def _maintenance_cost(e: Exp, op: Op, freebies: [Exp] = []):
"""Determines the cost of maintaining the expression when there are
freebies and ops being considered.
The cost is the result of mutating the expression and getting the storage
size of the difference between the mutated expression and the original.
"""
e_prime = mutate(e, op.body)
if alpha_equivalent(e, e_prime):
return ZERO
h = extension_handler(type(e.type))
if h is not None:
return h.maintenance_cost(old_value=e,
new_value=e_prime,
op=op,
freebies=freebies,
storage_size=storage_size,
maintenance_cost=_maintenance_cost)
if is_scalar(e.type):
return storage_size(e, freebies)
elif isinstance(e.type, TBag) or isinstance(e.type, TSet):
things_added = storage_size(
EBinOp(e_prime, "-", e).with_type(e.type), freebies).with_type(INT)
things_remov = storage_size(
EBinOp(e, "-", e_prime).with_type(e.type), freebies).with_type(INT)
return ESum([things_added, things_remov])
elif isinstance(e.type, TList):
return storage_size(e_prime, freebies)
elif isinstance(e.type, TMap):
keys = EMapKeys(e).with_type(TBag(e.type.k))
vals = EMap(
keys,
mk_lambda(e.type.k,
lambda k: EMapGet(e, k).with_type(e.type.v))).with_type(
TBag(e.type.v))
keys_prime = EMapKeys(e_prime).with_type(TBag(e_prime.type.k))
vals_prime = EMap(
keys_prime,
mk_lambda(e_prime.type.k, lambda k: EMapGet(e_prime, k).with_type(
e_prime.type.v))).with_type(TBag(e_prime.type.v))
keys_added = storage_size(
EBinOp(keys_prime, "-", keys).with_type(keys.type),
freebies).with_type(INT)
keys_rmved = storage_size(
EBinOp(keys, "-", keys_prime).with_type(keys.type),
freebies).with_type(INT)
vals_added = storage_size(
EBinOp(vals_prime, "-", vals).with_type(vals.type),
freebies).with_type(INT)
vals_rmved = storage_size(
EBinOp(vals, "-", vals_prime).with_type(vals.type),
freebies).with_type(INT)
keys_difference = ESum([keys_added, keys_rmved])
vals_difference = ESum([vals_added, vals_rmved])
return EBinOp(keys_difference, "*", vals_difference).with_type(INT)
else:
raise NotImplementedError(repr(e.type))
def possibly_useful_nonrecursive(
solver,
e: Exp,
context: Context,
pool=RUNTIME_POOL,
assumptions: Exp = ETRUE,
ops: [Op] = ()) -> bool:
"""Heuristic filter to ignore expressions that are almost certainly useless."""
state_vars = OrderedSet(v for v, p in context.vars() if p == STATE_POOL)
args = OrderedSet(v for v, p in context.vars() if p == RUNTIME_POOL)
assumptions = EAll([assumptions, context.path_condition()])
at_runtime = pool == RUNTIME_POOL
h = extension_handler(type(e))
if h is not None:
res = h.possibly_useful(e, context, pool, assumptions, ops, solver)
if not res:
return res
if isinstance(e, EStateVar) and not free_vars(e.e):
return No("constant value in state position")
if (isinstance(e, EDropFront)
or isinstance(e, EDropBack)) and not at_runtime:
return No("EDrop* in state position")
if not allow_big_sets.value and isinstance(e, EFlatMap) and not at_runtime:
return No("EFlatMap in state position")
if not allow_int_arithmetic_state.value and not at_runtime and isinstance(
e, EBinOp) and e.type == INT:
return No("integer arithmetic in state position")
if is_collection(e.type) and not is_scalar(e.type.elem_type):
return No("collection of nonscalar: e {}\n elem_type: {}\n".format(
e, e.type.elem_type))
if isinstance(e.type, TMap) and not is_scalar(e.type.k):
return No("bad key type {}".format(pprint(e.type.k)))
if isinstance(e.type, TMap) and isinstance(e.type.v, TMap):
return No("map to map")
# This check is probably a bad idea: whether `the` is legal may depend on
# the contex that the expression is embedded within, so we can't skip it
# during synthesis just because it looks invalid now.
# if isinstance(e, EUnaryOp) and e.op == UOp.The:
# len = EUnaryOp(UOp.Length, e.e).with_type(INT)
# if not valid(EImplies(assumptions, EBinOp(len, "<=", ENum(1).with_type(INT)).with_type(BOOL))):
# return No("illegal application of 'the': could have >1 elems")
if not at_runtime and isinstance(
e, EBinOp) and e.op == "-" and is_collection(e.type):
return No("collection subtraction in state position")
# if not at_runtime and isinstance(e, ESingleton):
# return No("singleton in state position")
if not allow_nonzero_state_constants.value and not at_runtime and isinstance(
e, ENum) and e.val != 0:
return No("nonzero integer constant in state position")
if not allow_binop_state.value and at_runtime and isinstance(
e, EStateVar) and isinstance(e.e, EBinOp) and is_scalar(
e.e.e1.type) and is_scalar(e.e.e2.type):
return No(
"constant-time binary operator {!r} in state position".format(
e.e.op))
if not allow_conditional_state.value and not at_runtime and isinstance(
e, ECond):
return No("conditional in state position")
if isinstance(e, EMakeMap2) and isinstance(e.e, EEmptyList):
return No("trivially empty map")
if isinstance(e, EMakeMap2) and isinstance(e.e, ESingleton):
return No("really tiny map")
if not at_runtime and (isinstance(e, EArgMin) or isinstance(e, EArgMax)):
# Cozy has no way to efficiently implement mins/maxes when more than
# one element may leave the collection.
from cozy.state_maintenance import mutate
for op in ops:
elems = e.e
elems_prime = mutate(elems, op.body)
formula = EAll([assumptions] + list(op.assumptions) + [
EGt(
ELen(
EBinOp(elems, "-", elems_prime).with_type(elems.type)),
ONE)
])
if solver.satisfiable(formula):
return No(
"more than one element might be removed during {}".format(
op.name))
if not allow_peels.value and not at_runtime and isinstance(e, EFilter):
# catch "peels": removal of zero or one elements
if solver.valid(
EImplies(
assumptions,
ELe(
ELen(
EFilter(
e.e,
ELambda(e.predicate.arg, ENot(
e.predicate.body))).with_type(e.type)),
ONE))):
return No("filter is a peel")
if not allow_big_maps.value and not at_runtime and isinstance(
e, EMakeMap2) and is_collection(e.type.v):
all_collections = [sv for sv in state_vars if is_collection(sv.type)]
total_size = ENum(0).with_type(INT)
for c in all_collections:
total_size = EBinOp(total_size, "+",
EUnaryOp(UOp.Length,
c).with_type(INT)).with_type(INT)
my_size = EUnaryOp(
UOp.Length,
EFlatMap(
EUnaryOp(UOp.Distinct, e.e).with_type(e.e.type),
e.value_function).with_type(e.type.v)).with_type(INT)
s = EImplies(assumptions,
EBinOp(total_size, ">=", my_size).with_type(BOOL))
if not solver.valid(s):
return No("non-polynomial-sized map")
return True
